Dave Trudgian

@jisraeli - sorry for the delay. We are on Red Hat Enterprise Linux 6.8 in this case.

The project is not currently actively maintained. There is a possibility that it may be revived in future, but no release are expected in the near future.

Container scanning with Clair turns out to be nice and straightforward, tested against Clair 2.0.0. A singularity image, exported to tar.gz, masquerades as a single layer docker image for Clair's...

@vsoch - yeah, getting a scan result is surprisingly easy. There is a bunch of filtering that is probably required though. Clair spits out a lot of CVEs for an...

I'm beginning my step 1 (a stand alone tool that I need) at: https://github.com/dctrud/clair-singularity. Hope to have something usable (with some docs and a docker compose file that'll get clair...

@vsoch @remyd1 - The initial version at https://github.com/dctrud/clair-singularity is now a working thing with some docs, in case you'd like to try it out. I had a very uninterrupted morning,...

The trouble with scanning only before upload is that a scan result is a point-in-time thing. You don't just care about whether a container is secure only at the point...

For reference, here's what you get on quay.io when looking at a container repo:  And you can go to detailed scan results, e.g.: https://quay.io/repository/biocontainers/ariba/image/dd247e688e2d5392a899fd38881a281ea51e8011ae0db73eb9f8ebe8758d73a4?tab=vulnerabilities

Okay - I'm back thinking about this now. @vsoch - is there any appetite for being able to have something to support e.g. an app called `sregistry.plugins.clair`. I.E. would you...

Okay, I'll try and get something together as a point for discussion. Probably not a clair plugin first - but something that does something simple as a proof of concept...